mac-understandlabel.html

FreeBSD操作系统的详细使用手册

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta name="generator" content="HTML Tidy, see www.w3.org" />
<title>Understanding MAC Labels</title>
<meta name="GENERATOR" content="Modular DocBook HTML Stylesheet Version 1.7" />
<link rel="HOME" title="FreeBSD Handbook" href="index.html" />
<link rel="UP" title="Mandatory Access Control" href="mac.html" />
<link rel="PREVIOUS" title="Explanation of MAC" href="mac-initial.html" />
<link rel="NEXT" title="Module Configuration" href="mac-modules.html" />
<link rel="STYLESHEET" type="text/css" href="docbook.css" />
</head>
<body class="SECT1" bgcolor="#FFFFFF" text="#000000" link="#0000FF" vlink="#840084"
alink="#0000FF">
<div class="NAVHEADER">
<table summary="Header navigation table" width="100%" border="0" cellpadding="0"
cellspacing="0">
<tr>
<th colspan="3" align="center">FreeBSD Handbook</th>
</tr>

<tr>
<td width="10%" align="left" valign="bottom"><a href="mac-initial.html"
accesskey="P">Prev</a></td>
<td width="80%" align="center" valign="bottom">Chapter 15 Mandatory Access Control</td>
<td width="10%" align="right" valign="bottom"><a href="mac-modules.html"
accesskey="N">Next</a></td>
</tr>
</table>

<hr align="LEFT" width="100%" />
</div>

<div class="SECT1">
<h1 class="SECT1"><a id="MAC-UNDERSTANDLABEL" name="MAC-UNDERSTANDLABEL">15.4
Understanding MAC Labels</a></h1>

<p>A <acronym class="ACRONYM">MAC</acronym> label is a security attribute which may be
applied to subjects and objects throughout the system.</p>

<p>When setting a label, the user must be able to comprehend what it is, exactly, that is
being done. The attributes available on an object depend on the policy loaded, and that
policies interpret their attributes in pretty different ways. If improperly configured
due to lack of comprehension, or the inability to understand the implications, the result
will be the unexpected and perhaps, undesired, behavior of the system.</p>

<p>The security label on an object is used as a part of a security access control
decision by a policy. With some policies, the label by itself contains all information
necessary to make a decision; in other models, the labels may be processed as part of a
larger rule set, etc.</p>

<p>For instance, setting the label of <var class="LITERAL">biba/low</var> on a file will
represent a label maintained by the Biba policy, with a value of ``low''.</p>

<p>A few policies which support the labeling feature in FreeBSD offers three specific
predefined labels. These are the low, high, and equal labels. Although they enforce
access control in a different manner with each policy, you can be sure that the low label
will be the lowest setting, the equal label will set the subject or object to be disabled
or unaffected, and the high label will enforce the highest setting available in the Biba
and <acronym class="ACRONYM">MLS</acronym> policies.</p>

<p>Within single label file system environments, only one label may be used on objects.
This will enforce one set of access permissions across the entire system and in many
environments may be all that is required. There are a few cases; however, where multiple
labels may be set on objects or subjects in the file system. For those cases, the <var
class="OPTION">multilabel</var> option may be passed to <a
href="http://www.FreeBSD.org/cgi/man.cgi?query=tunefs&sektion=8"><span
class="CITEREFENTRY"><span class="REFENTRYTITLE">tunefs</span>(8)</span></a>.</p>

<p>In the case of Biba and <acronym class="ACRONYM">MLS</acronym>, a numeric label may be
set to indicate the precise level of hierarchical control. This numeric level is used to
partition or sort information into different groups of say, classification only
permitting access to that group or a higher group level.</p>

<p>In most cases the administrator will only be setting up a single label to use
throughout the file system.</p>

<p><span class="emphasis"><i class="EMPHASIS">Hey wait, this is similar to <acronym
class="ACRONYM">DAC</acronym>! I thought <acronym class="ACRONYM">MAC</acronym> gave
control strictly to the administrator.</i></span> That statement still holds true, to
some extent <tt class="USERNAME">root</tt> is the one in control and who configures the
policy so that users are placed in the appropriate categories/access levels. Alas, many
policies can restrict the <tt class="USERNAME">root</tt> user as well. Basic control over
objects will then be released to the group but <tt class="USERNAME">root</tt> may revoke
or modify the settings at any time. This is the hierarchal/clearance model covered by
policies such as Biba and <acronym class="ACRONYM">MLS</acronym>.</p>

<div class="SECT2">
<h2 class="SECT2"><a id="AEN22090" name="AEN22090">15.4.1 Label Configuration</a></h2>

<p>Virtually all aspects of label policy configuration will be performed using the base
system utilities. These commands provide a simple interface for object or subject
configuration or the manipulation and verification of the configuration.</p>

<p>All configuration may be done by use of the <a
href="http://www.FreeBSD.org/cgi/man.cgi?query=setfmac&sektion=8"><span
class="CITEREFENTRY"><span class="REFENTRYTITLE">setfmac</span>(8)</span></a> and <a
href="http://www.FreeBSD.org/cgi/man.cgi?query=setpmac&sektion=8"><span
class="CITEREFENTRY"><span class="REFENTRYTITLE">setpmac</span>(8)</span></a> utilities.
The <tt class="COMMAND">setfmac</tt> command is used to set <acronym
class="ACRONYM">MAC</acronym> labels on system objects while the <tt
class="COMMAND">setpmac</tt> command is used to set the labels on system subjects.
Observe:</p>

<pre class="SCREEN">
<samp class="PROMPT">#</samp> <kbd class="USERINPUT">setfmac biba/high test</kbd>
</pre>

<p>If no errors occurred with the command above, a prompt will be returned. The only time
these commands are not quiescent is when an error occurred; similarly to the <a
href="http://www.FreeBSD.org/cgi/man.cgi?query=chmod&sektion=1"><span
class="CITEREFENTRY"><span class="REFENTRYTITLE">chmod</span>(1)</span></a> and <a
href="http://www.FreeBSD.org/cgi/man.cgi?query=chown&sektion=8"><span
class="CITEREFENTRY"><span class="REFENTRYTITLE">chown</span>(8)</span></a> commands. In
some cases this error may be a ``<tt class="ERRORNAME">Permission denied</tt>'' and is
usually obtained when the label is being set or modified on an object which is
restricted.<a id="AEN22114" name="AEN22114" href="#FTN.AEN22114"><span
class="footnote">[1]</span></a> The system administrator may use the following commands
to overcome this:</p>

<pre class="SCREEN">
<samp class="PROMPT">#</samp> <kbd class="USERINPUT">setfmac biba/high test</kbd>
``<tt class="ERRORNAME">Permission denied</tt>''
<samp class="PROMPT">#</samp> <kbd
class="USERINPUT">setpmac biba/low setfmac biba/high test</kbd>
<samp class="PROMPT">#</samp> <kbd class="USERINPUT">getfmac test</kbd>
test: biba/high
</pre>

<p>As we see above, <tt class="COMMAND">setpmac</tt> can be used to override the policy's
settings by assigning a different label to the invoked process. The <tt
class="COMMAND">getpmac</tt> utility is usually used with currently running processes,
such as <b class="APPLICATION">sendmail</b>: although it takes a process ID in place of a
command the logic is extremely similar. If users attempt to manipulate a file not in
their access, subject to the rules of the loaded policies, the ``<tt
class="ERRORNAME">Operation not permitted</tt>'' error will be displayed by the <code
class="FUNCTION">mac_set_link</code> function.</p>

<div class="SECT3">
<h3 class="SECT3"><a id="AEN22130" name="AEN22130">15.4.1.1 Users and Label
Settings</a></h3>

<p>Users themselves are required to have labels so that their files and processes may
properly interact with the security policy defined on the system. This is configured
through the <tt class="FILENAME">login.conf</tt> file by use of login classes. Every
policy that uses labels will implement the user class setting.</p>

<p>An example entry containing every policy is listed below:</p>

<pre class="PROGRAMLISTING">
default:\
    :copyright=/etc/COPYRIGHT:\
    :welcome=/etc/motd:\
    :setenv=MAIL=/var/mail/$,BLOCKSIZE=K:\
    :path=~/bin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin:\
    :manpath=/usr/share/man /usr/local/man:\
    :nologin=/usr/sbin/nologin:\
    :cputime=1h30m:\
    :datasize=8M:\
    :vmemoryuse=100M:\
    :stacksize=2M:\
    :memorylocked=4M:\
    :memoryuse=8M:\
    :filesize=8M:\
    :coredumpsize=8M:\
    :openfiles=24:\
    :maxproc=32:\
    :priority=0:\
    :requirehome:\
    :passwordtime=91d:\
    :umask=022:\
    :ignoretime@:\
    :label=partition/13,mls/5,biba/10(5-15),lomac10[2]:
</pre>

<p>The <var class="LITERAL">label</var> option is used to set the user class default
label which will be enforced by <acronym class="ACRONYM">MAC</acronym>. Users will never
be permitted to modify this value, thus it can be considered not optional in the user
case. In a real configuration, however, the administrator will never wish to enable every
policy. It is recommended that the rest of this chapter be reviewed before any of this
configuration is implemented.</p>

<div class="NOTE">
<blockquote class="NOTE">
<p><b>Note:</b> Users may change their label after the initial login; however, this
change is subject constraints of the policy. The example above tells the Biba policy that
a process's minimum integrity is 5, its maximum is 15, but the default effective label is
10. The process will run at 10 until it chooses to change label, perhaps due to the user
using the setpmac command, which will be constrained by Biba to the range set at
login.</p>
</blockquote>
</div>

<p>In all cases, after a change to <tt class="FILENAME">login.conf</tt>, the login class
capability database must be rebuilt using <tt class="COMMAND">cap_mkdb</tt> and this will
be reflected throughout every forthcoming example or discussion.</p>

<p>It is useful to note that many sites may have a particularly large number of users
requiring several different user classes. In depth planning is required as this may get
extremely difficult to manage.</p>

<p>Future versions of FreeBSD will include a new way to deal with mapping users to
labels; however, this will not be available until some time after FreeBSD&nbsp;5.3.</p>
</div>

<div class="SECT3">
<h3 class="SECT3"><a id="AEN22146" name="AEN22146">15.4.1.2 Network Interfaces and Label
Settings</a></h3>

<p>Labels may also be set on network interfaces to help control the flow of data across
the network. In all cases they function in the same way the policies function with
respect to objects. Users at high settings in <var class="LITERAL">biba</var>, for
example, will not be permitted to access network interfaces with a label of low.</p>

<p>The <var class="OPTION">maclabel</var> may be passed to <tt
class="COMMAND">ifconfig</tt> when setting the <acronym class="ACRONYM">MAC</acronym>
label on network interfaces. For example:</p>

<pre class="SCREEN">
<samp class="PROMPT">#</samp> <kbd
class="USERINPUT">ifconfig bge0 maclabel biba/equal</kbd>
</pre>

<p>will set the <acronym class="ACRONYM">MAC</acronym> label of <var